phpisthebest parent
The entire purpose of bitwarden is they do not have your unencrypted data in the first place, so what is the fear there?
Well, based on what everyone fears is happening over at lastpass, attackers just download all the encrypted vaults, then brute force the master passwords.
I have a hard-to-guess master password, but it wouldn't surprise me if they could crack it with a 2026 vintage GPU farm.
Anyone who doubts you should run zxcvbn and more modern entropy estimators against their passwords. Our intuitions are not good. Offering password-based encryption to normal users is borderline unethical.
The Bitwarden webvault infrastructure is a doomsday target. If it's compromised, no evidence of a client backdoor will exist except in the server logs. You can't avoid using it, because you need to sign into the webvault to configure 2FA. Want to change the encryption passphrase? Guess what, you need to use the webvault. Bitwarden's vault encryption is essentially reduced to the security model of TLS.
And? If you don't trust TLS then I assume you don't trust web banking, or purchasing anything over the internet for that matter. Might as well give up on technology and go find yourself a nice quiet pastoral life.
For me personally, I don't actually trust any of that.
Any purchase I do online is done with a virtual card that links to a bank account that only ever has the amount I need to pay for whatever it is I am currently purchasing. That way it doesn't matter if the information is stolen etc. because there is no more money to use and I can cancel the card as easily as I can create a new.
For banking I also only use my banks official app, I don't know how exactly it works and I assume it does use some form of http and whatnot, but I wouldn't trust using a bank through the browser as you never know what kind of thing an extension or something have in there.
I trust the cryptography behind TLS. I don’t trust every website using TLS. The difference between end-to-end encryption and transport-layer encryption is the website operator can recover the plaintext. And the point of the comment I responded to was that Bitwarden data is not recoverable. I’m glad that you think E2EE is a waste of effort though.
Following up, I find it funny that this old meme comment thought orders and banking are our most trusted activities, and not our communications and data storage.